Automating CLM for Akamai CPS

The Akamai CPS (Certificate Provisioning System) provides the full lifecycle management of SSL/TLS certificates for Akamai Secure Delivery Network applications.

Prerequisites

  • Follow Create authentication credentials to generate client token, client secret, and access token required to authenticate to Akamai CPS.
  • To enable this API, choose the Certificate Provisioning System API service, and set the access level to READ-WRITE.
  • Ensure your API credentials have the following grants: CPS and Contracts-API_Contracts.
  • The user must have Access to the Property Manager API (PAPI).
  • Ensure the user's PAPI access level is set to READ to allow read operations through the API.

Onboarding Akamai CPS Device

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the + (Add) icon.
  4. Select Akamai from the Vendors list.
    The Akamai server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned:
    Table 1. Server Details - Field Description Table
    Field Description
    *Server name Enter a unique name for server.
    *IP address/ FQDN Enter a valid IP address or FQDN for device communication and integration with the Akamai CPS.
    Data center Choose the desired data center.
    Proxy required Select the checkbox to enable the secure proxy service.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter details as mentioned below.
    Table 2. Credentials - Field Description Table
    Field Description
    *Client token Enter the client token as provided by the vendor.
    *Client secret Enter the client secret as provided by the vendor.
    *Access token Enter the access token as provided by the vendor.
    *API Version Enter the value, example cps/v2. (The same value is provided as the placeholder.)
    *: Mandatory fields
  7. Click Save.
    The Akamai CPS device is onboarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to (Menu) > CERT+ >ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified status in the status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

Configuring Device Settings

During enrollment using server device as endpoint, Akamai has a long list of details that are mandatorily required for the enrollment request. Adding these fields along with the CSR parameters will make the enrollment form too big with many details to be filled out. As these are fixed values and only have to be filled once, the other mandatory fields are made available in the global device settings page. The details saved on the global setting page are based on the combination of the fields Validation Type, Secure Network, and Vendor Certificate Type that are available on the enrollment page.
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Device Settings) icon.
  4. Select Akamai from the Vendors list.
    The Akamai Vendor Specific Details configuration screen is displayed.
  5. Enter the fields in the respective sections as described:
    Table 3. Filed descriptions for the Vendor Specific Details page
    Field Description
    General Information
    *Validation Type Select a validation type from the dropdown list for the endpoint. The default value is Third-party.
    *Secure Network This filed helps identify the type of deployment network. Select the secure network from the dropdown list for the endpoint. The default value is Standard TLS.
    *Vendor Certificate Type Denotes the domain and organization validation type. Select a vendor certificate type from the dropdown list for the endpoint. The default value is Third-party.
    Organization Information
    *Name Enter the organization's name.
    *Address Enter the organization's address.
    *Country Enter the organization's country code.
    *City/Municipality Enter the organization's city or municipality.
    *State/Province Enter the organization's state or province.
    *Zip/Postal Code Enter the organization's zip or postal code.
    *Phone Number Enter the organization's phone number.
    Admin Contact Information
    *First Name Enter the administrator's first name
    *Last Name Enter the administrator's last name
    *Phone Number Enter the administrator's phone number
    *Email Enter the administrator's email
    Tech Contact Information
    *First Name Enter the technical contact's first name
    *Last Name Enter the technical contact's last name
    *Phone Number Enter the technical contact's phone number
    *Email Enter the technical contact's email
    *: Mandatory fields
  6. Click Update.
    The vendor details are saved successfully.

Enrolling Server Certificates

Prerequisite
  • Before proceeding with the endpoint enrollment for Akamai CPS, the Device Settings configuration is a must.
Note:
  • The product supports the enrollment and deployment of certificates for a single stack. The CSR content is generated based on the key type selected on the enrollment page.
  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Server
    The Enroll Server Certificate page is displayed.
  2. In the General Information section, from the dropdown list, select the required Assign Group.
  3. Enter the CA Details.
    Table 4. Field descriptions for the CA Details section
    Field Description
    *Certificate Authority From the dropdown list, select the certificate authority to request the certificate enrollment.
    Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
    *Renew Automatically
    Note:
    To automatically renew this certificate:
    1. Turn on the Renew Automatically toggle.

      The *Start Renewing field is displayed.

    2. Specify how many days prior to a certificate's expiry the renewal process should start.

      Valid range for number of days: 1 to 120

    Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *Regenerate Automatically To automatically regenerate this certificate:
    1. Turn on the Regenerate Automatically toggle.

      The *Start Regenerating field is displayed.

    2. Specify how many days prior to a certificate's expiry the regeneration process should start.

      Valid range for number of days: 1 to 120

    Note:
    • This value can exceed the certificate's validity in case of short-lived certificates.
    • This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates).
    • The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *CA Account From the dropdown list, select the CA account to which the certificate enrollment request will be submitted.
    *Certificate Type From the dropdown list, select the required certificate type.
    *Division
    Note: This field is applicable only for DigiCert CA.
    From the dropdown list, select the division with which the certificate will be enrolled.
    Certificate Profile
    Note: This field is displayed for only selected CAs. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list.

    From the dropdown list, select the certificate profile with which the certificate must enroll.
    *RA Workflow
    Note: This field is displayed when Certificate Authority = IDnomic and a CA+RA setting is selected from the CA Accounts dropdown list.
    From the dropdown list, select the RA workflow that will be used for certificate enrollment.

    For the details of a workflow, you can check them on your CA portal on IDnomic.

    *Issuer Location
    Note: This field is applicable only for Google CA.

    From the dropdown list, select the issuer location associated with the CA account.
    *Issuer Name
    Note: This field is applicable only for Google CA.

    From the dropdown list, select the issuer name for issuing the certificate.
    *Connector Name Enter a friendly name for the CA connector.

    On saving this form, the name entered here will be displayed in the holistic view.
    Description
    Note: Character limit: 2000 characters

    Enter the description in this field.
    *CSR Generation
    Note: This field is applicable for all CAs except Amazon.

    From the following options, select the required method for generating the CSR:

    • AppViewX: Private key and CSR will be created in AppViewX based on CSR parameters given.
      Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script:
      db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})
    • Upload CSR: You can upload a file that contains the CSR details. This source file will be used to populate the CSR parameters, which will then be submitted to the CA.
      1. Select Browse and navigate to the location of your CSR file, and click Open..
      2. Click Upload.
    • HSM:
      Note: This option is not displayed when Certificate Authority = Google, CSC Global, and DigiCert One.
      To generate the private key and the CSR, based on the CSR parameters given, in an HSM device:
      1. Under CSR Generation, select HSM.

      2. Fields for gathering your HSM-related inputs are displayed.

        Table 5. To generate the private key and the CSR, enter the following details:
        Field Description
        *Device Type From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated:
        • HSM Devices
        • ADC Devices
        *Vendors
        Note: This field is applicable only when Device Type = ADC Devices.
        *Devices From the dropdown list, select the required HSM/ADC device.
        Note: This field is populated based on the Device Type and Vendors selected.
        *Key Handler Name
        Note: This field is applicable only when Device Type = HSM Devices.
        Enter the key handler name.
        *Key Reference Name
        Note: This field is applicable only when Device Type = ADC Devices.
        Enter the key reference name.
    • End Point:
      Note: This option is disabled when Certificate Authority = Google and CSC Global.
      Table 6. To generate the private key and the CSR in the selected end point device, enter the following inputs:
      Field Description
      Category Select Server from the dropdown list.
      Vendor Select AkamaiCPS from the dropdown list.
      *Devices This field is auto-populated.
      *Contract ID This field is auto-populated if you have configured device settings.
      *Validation Type This field is auto-populated if you have configured device settings.
      *Secure Network This field is auto-populated if you have configured device settings.
      *Vendor Certificate Type This field is auto-populated if you have configured device settings.
    *: Mandatory fields
  4. For the EJBCA certificate authority, enter the vendor details.
    Table 7. Field descriptions for the EJBCA Vendor Specific Details section
    Field Description
    * End Entity Profile Name From the dropdown list, select the end entity profile name.
    End entity user name Enter the name of the end user entity.
    * Issuer Common Name From the dropdown list, select the issuer common name.
    *Certificate Profile Name From the dropdown list, select the certificate profile name.
    *: Mandatory fields
  5. For the certificate being enrolled, enter the CSR Parameters.
    Note: For DigiCert One, all CSR parameters that are assigned static values in the certificate profile will be auto-populated and disabled for editing.
    Table 8. Field descriptions for the CSR Parameters
    Field Description
    *Common Name Enter the certificate's common name.

    The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>.

    Note: Constraints:
    • Character limit: 64 characters
    • No special characters allowed except underscore (_) and hyphen (-).
    Subject Alternative Name From the dropdown list, select the Subject Alternative Name category for the certificate being enrolled.

    In the corresponding field(s) displayed for the selection made, enter the required values.

    Note:
    • Multiple values must be separated by a comma.
    • After enrollment, the cumulative count of SANs is displayed in the certificate property pop-up window from the holistic view.
    *Organization The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Organization Unit Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Locality The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    State The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Country Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
    Note: For renewal of the certificate being enrolled, country name is required.
    Email Address Enter a valid email address of the person responsible for maintaining the certificate.
    *Validity To specify the validity of the certificate being enrolled:
    1. From the first dropdown list, select the number of days/months/years.
    2. From the second dropdown list, select the unit of the duration from the following values: Days/Months/Year.
      For example, if the validity of the certificate is 2 months:
      1. From the first dropdown list, select 2.
      2. From the second dropdown list, select Months.
    Challenge Password Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
    Confirm Password Re-enter the password entered in the Challenge Password field.
    *Hash Function The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
    *Key Type The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *Bit Length The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *: Mandatory fields
  6. In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).
    Table 9. Field descriptions for the Attachments section
    Field Description
    Name Enter a name for the document. This need not be the actual name of the document; it can be an alternate name that will be used for reference only.
    Comments Enter any details relevant to the document being attached.
    Note: Character limit: 2000 characters
    Upload File To upload an attachment:
    1. Click Upload.
    2. Navigate to the location of the document to be uploaded.
    3. Select the document to be document and click Open.

      The selected document is uploaded and listed in the table displayed below these fields in the Attachments section.

      Tip: If you've uploaded multiple attachments, use the Search field to find the required one.
    *: Mandatory fields
  7. In the Certificate Attributes section, provide the organization-specific values for both the certificate attributes and the custom attributes required by the issuing CA to be included with the CSR.
    These values will not be a part of the certificate but will be available in the AppViewX inventory. For example, cost center.
    Note: This additional information can be used to filter certificate details in the inventory.
  8. Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.
    Table 10. Field descriptions for the Generic Fields
    Field Description
    Device Name Enter the name of the device.
    Application IP Address Enter the IP address of the application.
    Tracking ID A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit log entries (typically enrollment and revocation events)
    Certificate holder Email
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
    First name
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    First name (as a metadata) associated with the certificate to be enrolled
    Last name
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Last name (as a metadata) associated with the certificate to be enrolled
    Organization
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Organization name (as a metadata) associated with the certificate to be enrolled
    Comment
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Additional information (as a metadata) associated with the certificate to be enrolled
    UUID
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled
  9. In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.
    Table 11. Field descriptions for the common vendor specific details
    Field Description
    Certificate ID The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section).
    • The Certificate ID can be modified by the user.
    • If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID.
    • If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.
    Table 12. Field descriptions for the CSC Global CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Business Unit Enter the name of the business unit that is requesting the certificate.
    *Organization Contact Enter the email address of the contact in the organization requesting the certificate.
    *Phone Number Enter the phone number of the Organization Contact in the followung format: +<country code>-<phone number>.
    Note: For CSC Global, the phone number is not fetched from the AppViewX user information because of the difference in format.
    *Domain Control Validation Type From the following options in the dropdown list, select the method CSC Global will use for authentication before issuing a certificate:
    • EMAIL: CSC Global will send an approval/confirmation request to the registered email ID. Certificate issuance happens only after approval is received.
    • CNAME: On requesting certificate issuance, CSC Global will provide you with a dynamic string. Add a CNAME record with this string to your DNS settings. CSC will issue the certificate requested only after validating this CNAME record.
    Note: CSC Global will perform domain validation for all CLM actions.
    *: Mandatory fields
    Table 13. Field descriptions for the DigiCert CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Payment Method From the dropdown list, select one from the following payment methods:
    • Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account.
      Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance.
    • Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account.
      Note: Ensure that a credit card is configured as the default payment method for your account.
    Additional Email Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
    Renewal Message Enter a custom message that will be sent with the renewal notifications.
    Notes Enter a custom note that will be sent with the order.
    *: Mandatory fields
    Table 14. Field descriptions for the DigiCert One CA vendor specific details
    Field Description
    Seat ID Enter the seat ID that will be assigned to the certificate being enrolled.
    Seat ID is a unique user-defined value assigned to identify an entity in the DigiCert One account. The seat ID for a certificate is used for certificate enrollment, renewal, and regeneration.
    Note: The Seat ID field is displayed only if the Allow Seat ID during enrollment option is selected for the CA account. In this case, the value entered in the Seat ID field is now a unique identifier for the certificate being enrolled. Otherwise, a common seat ID is assigned to all certificates enrolled for the selected CA account
    Table 15. Field descriptions for the GlobalSign MSSL CA vendor specific details
    Field Description
    *Profile name A profile name is defined at the time of creating an account on the GlobalSign MSSL portal. AppViewX retrieves all your profile names from the GlobalSign MSSL portal and populates them in this dropdown list.

    From the dropdown list, select the profile name the enrolled certificate should be mapped to.
    *: Mandatory fields
    Table 16. Field descriptions for the Hydrant ID CA vendor specific details
    Field Description
    Expiry Emails Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID.
    Note: HydrantID CA does not accept updates to these email addresses during the renewal process.
    Table 17. Field descriptions for the Nexus CA vendor specific details
    Field Description
    Procedures The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.
  10. Click Add.
    Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
  11. On the holistic view, click the Submit button to trigger the request.
    The submit action is triggered and the Submit dialog box is displayed.
  12. Enter your comments in the text field and click Yes.
    If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
  13. Click Approve to proceed.
    The Approve dialog box is displayed.
  14. Enter your comments in the text field.
    Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
  15. Click Yes.
    Once the approval process is complete, the Implement option is displayed in the holistic view.
  16. Click Implement.
    The Implement dialog box is displayed.
  17. Enter your comments in the text field.
    If the workflow request has to be implemented automatically in the future, click Schedule later .
  18. Click Yes.
    CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.

    If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.

    If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.

    Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

Adding Application Connector

  1. On the certificate holistic view, click Add Connector.
  2. Enter the General Information for the connector.
    Table 18. Field descriptions for the connector General Information
    Field Description
    *Category From the dropdown list, select Server.
    *Vendor From the dropdown list, select Akamai CPS.
    *Connector Name Enter a name for this connector, to be able to identify it later.
    Tip: AppViewX recommends naming connectors according to use cases so they are easily distinguishable.
    Description Enter any additional details you want to record for this connector.
    Based on the information entered here, the Server selection section is populated with the list of available Akamai CPS server devices already onboarded in AppViewX.
  3. To select the device(s) to which the certificate will be pushed, under Server selection, from the list of Available Devices, click .
    The Selected devices list is updated automatically.
  4. Enter the Certificate Details.
    Table 19. Field descriptions for the Certificate Details
    Field Description
    Certificate Type From the dropdown list, select the file type of the certificate to be pushed.

    For Akamai CPS, by default, the PEM (*.pem) certificate is selected and the dropdown list is non-editable.
    Private Key in Device If the private key associated with the certificate being pushed has been stored on the end device, select this checkbox.

    For Akamai CPS, this feature is enabled by default and the field is non-editable.
    Push Root and Intermediate Certificates To push the root and intermediate certificates, along with the end certificate, select this checkbox.

    For Akamai CPS, this feature is enabled by default and the field is non-editable.
  5. Enter the Push Details.
    Table 20. Field descriptions for the Push Details
    Field Description
    *Script Location Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

    The script to be run before the certificate is pushed is called a pre-push script and the script to be run after the push is called a post-push script.

    From the following options, select the location of the script file(s):

    • In AppViewX
    • In Device
    Pre - Push Script File Name Enter the file name of the pre-push script.
    Important: Read the pre and push script usage instructions here.
    Pre - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the pre-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Name Enter the file name of the post push script.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the post-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Push Automatically To automatically push the certificate after it is renewed/reissued to the target system, enable this checkbox.
    Note: The auto push feature for a certificate works only if enabled for the certificate application connector as well the associated certificate group. To enable this feature at the certificate group level, refer the instructions here.
  6. Click Save.
    The connector is displayed on the certificate holistic view.

Pushing Server Certificates to Device

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Server.
    The Server Certificate page is displayed.
  2. To push a certificate, under Common Name, double click the required certificate.
    The certificate topology view is displayed.
  3. Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.
    Note:
    • The Push to Device option is displayed only after an application connector is added to certificate.
    • Certificate deployment to the staging environment is only currently supported.
    • Renewal of existing enrollments with updated certificates is also not supported at this time.
    The Confirmation dialog box is displayed.
  4. Enter your comments, if required, in the text field.
  5. Click OK.
    • The approval process is triggered. The current flow is based on the default policy of two-level approvals.
    • A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
  6. To approve the push request, from the certificate topology view, click Approve.
  7. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The work order status displayed beside the connector updates to Push-Review In Progress.
  8. To implement the push request, from the certificate topology view, click Implement.
  9. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The push action is triggered. After the push action is completed, the status updates to Completed.

What's Next

After adding the connector, you can proceed with pushing a server certificate to the device: